D-Link NetDefend DFL-210 User Manual page 309

7.4.1. Translation of a Single IP
Address (1:1)
In order for external users to access the web server, they must be able to contact it using a public address. In this
example, we have chosen to translate port 80 on the NetDefend Firewall's external address to port 80 on the web
server:
# Action
1 SAT
2 Allow
These two rules allow us to access the web server via the NetDefend Firewall's external IP address. Rule 1 states
that address translation can take place if the connection has been permitted, and rule 2 permits the connection.
Of course, we also need a rule that allows internal machines to be dynamically address translated to the Internet.
In this example, we use a rule that permits everything from the internal network to access the Internet via NAT
hide:
# Action
3 NAT
The problem with this rule set is that it will not work at all for traffic from the internal network.
In order to illustrate exactly what happens, we use the following IP addresses:
• wan_ip (195.55.66.77): a public IP address
• lan_ip (10.0.0.1): the NetDefend Firewall's private internal IP address
• wwwsrv (10.0.0.2): the web servers private IP address
• PC1 (10.0.0.3): a machine with a private IP address
The order of events is as follows:
• PC1 sends a packet to wan_ip to reach www.ourcompany.com:
10.0.0.3:1038 => 195.55.66.77:80
• NetDefendOS translates the address in accordance with rule 1 and forwards the packet in accordance with
rule 2:
10.0.0.3:1038 => 10.0.0.2:80
• wwwsrv processes the packet and replies:
10.0.0.2:80 => 10.0.0.3:1038
This reply arrives directly to PC1 without passing through the NetDefend Firewall. This causes problems.
The reason this will not work is because PC1 expects a reply from 195.55.66.77:80 and not 10.0.0.2:80. The
unexpected reply is discarded and PC1 continues to wait for a response from 195.55.66.77:80 which will never
arrive.
Making a minor change to the rule set in the same way as described above, will solve the problem. In this
example, for no particular reason, we choose to use option 2:
# Action
1 SAT
2 NAT
3 Allow
• PC1 sends a packet to wan_ip to reach "www.ourcompany.com":
10.0.0.3:1038 => 195.55.66.77:80
• NetDefendOS address translates this statically in accordance with rule 1 and dynamically in accordance with
rule 2:
10.0.0.1:32789 => 10.0.0.2:80
• wwwsrv processes the packet and replies:
10.0.0.2:80 => 10.0.0.1:32789
Src Iface Src Net Dest Iface
any all-nets
any all-nets
Src Iface Src Net Dest Iface
lan lannet
Src Iface Src Net Dest Iface
any all-nets
lan lannet
any all-nets
Dest Net
core wan_ip
core wan_ip
Dest Net
any all-nets
Dest Net
core wan_ip
any all-nets
core wan_ip
309
Chapter 7. Address Translation
Parameters
http SETDEST wwwsrv 80
http
Parameters
All
Parameters
http SETDEST wwwsrv 80
All
http